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Abstract. We find Hnear (as well as quadratic) relations in a very large class of T-functions. The relations 
may be used in analysis of T-function-based stream ciphers. 

T— I ! 
O 

1. Introduction 

> . 

O . For years linear feedback shift registers (LFSRs) over a 2-element field F2 have been one of the most 

important building blocks in keystream generators of stream ciphers. LFSRs can easily be designed to 
produce binary sequences of the longest period (that is, of length 2*^ — 1 for a fc-cell LFSR over F2); LFSRs 
' are fast and easy to implement in hardware. However, sequences produced by LFSRs have linear dependencies 

that make easy to analyse the sequences to construct attacks on the whole cipher. To make output sequences 
of LFSRs more secure these linear dependencies must be destroyed by a properly chosen filter; this is the 
filter that carries the major cryptographical load making the whole cipher secure, 
u. Recently, T-functions were found to be useful tools to design fast cryptographic primitives and ciphers 

t/3 [ based on usage on both arithmetic (addition, multiplication) and logical operations, see jSHl HH [HI [171 [TH 

[T8l[2Tl[20l[19l[24l[29l[l[3l[Ml[26]. Loosely speaking, a T-function is a map of fc-bit words into fc-bit words 
such that each i-th bit of image depends only on low-order bit 0, i of the pre-image. Various methods are 
known to construct transitive T-functions (the ones that produce sequences of the longest possible period, 
>; 2^=), see[3[l[6l[2l[5l[a[Il[Ml[2Sl[l7l[Tg[l8l[20l[l4]. Transitive T-functions have been considered as 

' a candidate to replace LFSRs in keystream generators of stream ciphers, see e.g. [HI [Ml [HI [IHl [Ml [31] 

\^ [ since sequences produced by T-function-based keystream generators are proved to have a number of good 

' cryptographic properties, e.g., high linear and 2-adic complexity, uniform distribution of subwords, etc., see 

[3| 1231 [1] 141] ■ However, any word sequence produced by a transitive T-function has a well-known deficiency: 
the less significant is the position n of the bit in the word, the shorter is the period of the corresponding bit 
sequence in the output word sequence of words. To be more exact, given a transitive T-function /, consider 
a fc-bit word sequence xo,xi, . . . produced by / with respect to the recurrence law 

X, = /(x,_i) = r(xo) -/(... (/(xo)...), z = 0,l,2,..., 

X' 

• (by the definition, /°(xo) — xq); denote 5„(xi) the n-th bit of the word x^, n = 0, 1, . . . , fc — 1; then the length 

of the shortest period of the bit sequence Sn{xo),Sn{xi), . . . (the n-th coordinate sequence) is 2"'^^. That is, 
only the highest order coordinate sequence 6k-i{xo),6k-i{xi), . . . reaches the longest period, of length 2*^. 
That is why the low-order coordinate sequences are newer used to form a keystream, there either are just 
deleted or serve to control other parts of the cipher. 

Moreover, the second half of the period of the coordinate sequence is just the inverse of its first half: 

(1.1) Sn{xi+2^^) = Sn{x.i) + 1 (mod 2) , for aU z, n = 0, 1 , 2, . . . 

Fortunately, the latter property does not cause big problems: speaking loosely, given arbitrary transitive 
T-function /, the half-periods Sn{xo), . . . (5n(a;2"-i) should be considered as random and adjacent coordinate 
sequences (5„_i (xq), i5„_i(a;i), . . . and Sn{xo), Sn{xi), ... as independent (see Theorem[4]for exact statements). 

However, it was discovered that for certain T-functions the said independence of adjacent coordinate 
sequences does not take place: these sequences satisfy linear relation of the form 

(1.2) 6nixi^2"-'>-) = ^nixi) + 6n-iixi) + Zi (mod2), for all z = 0, 1, 2, . . . , 
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where the length of the period of the sequence Zi is only 4 (and not 2" as in a general case, for arbitrary 
transitive T-function). Namely, Molland and Helleseth in [3D1 proved this for a transitive T-function 
f{x) = X + (x^ V C) suggested by KHmov and Shamir in [17]; Jin-Song Wang and Wen- Feng Qi in [38] 
obtained similar result for a transitive polynomial function f(x) = co + cix + C2X^ -I- ■ ■ • -I- CmX™ with integer 
coefficients cq, ci, . . . £ Z = {0, ±1, ±2, . . .}. 
Our contribution. It is fourfold: 

• First we prove that relations of type (11.21) hold for a much wider class of T-functions than polynomials 
over Z and Klimov-Shamir functions f{x) — x+{x'^\/C), C G Z. This wider class contains exponential 
T-functions (like f{x) = 3a: -|- 3^, fractional T-functions (like f{x) = 1 -I- x -I- jipsj) ^-^d many other 
T-functions that might be extremely complex compositions of numerical and logical operators, like 
the following one: 



In Theorem [S] below we prove that for the mentioned class of T-functions (which is precisely defined 
further) relation (|1.2p holds; the length of the period of the binary sequence Zi in the relation depends 
on the function / and is not necessarily 4 any longer; however, it is still short. 

• Second, for a slightly narrower class of T-functions than the previous one, we prove that a quadratic 
relation holds for any three consecutive coordinate sequences, see Theorem|n]further. Earlier a relation 
of this sort was known only for Klimov-Shamir T-function, see paper 2X^ by Yong-Long Luo and 
Wen-Feng Qui. 

• Third, we show that both linear and quadratic relations of this sort hold not only for univariate 
T-functions, but also for multi-word T-functions and even for cascaded compositions of T-functions 
with other generators. 

• Finally we demonstrate how using the mentioned relations between coordinate sequences one can 
recover the rest coordinate sequences of lower orders even if a T-function from the mentioned class 
has not been specified. That is, for instance, if / is a polynomial with integer coefficients, there is 
needless to know its coefficients to recover low-order coordinate sequences (<5„_2(a^i))i i^n-sixi)), ■ . ., 
given only a pair of coordinate sequences (Snixi)) and ((5„_i(xi)). This is an important conclusion 
since in some stream ciphers (see e.g., [SI [9]) coefficients of a T-function are formed during a 'warming- 
up' stage; i.e., the coefficients are obtained from a key and an initial vector by a special complicated 
procedure and thus are not known to a cryptanalyst. 

The paper serves a sort of a warning to a designer of a T-function-based stream cipher to avoid possible 
flaws: both the choice of T-function and the way it is used must guarantee that either there are no relations 
of this sort among coordinate sequences or they are hidden deep enough (e.g., by a proper filter) to prevent 
using them by a cryptanalyst. Even truncation of low-order bits may not be a remedy! 

Last, but not least: we obtain our results by using techniques of 2-adic analysis; that is, we we expand 
T-functions on the whole space Z2 of 2-adic integers and study the corresponding dynamics. That is why 
we need to introduce some notions and results from 2-adic analysis (and the 2-adic ergodic theory) before 
stating our results. It worth noting here that the approach based on 2-adic dynamics (and wider, on p-adic 
dynamics and on algebraic dynamics) recently proved its effectiveness in various cryptographic applications, 
see corresponding monograph [3] for further details. 

The paper is organized as follows: 

• Section [2] concerns basics of the non- Archimedean theory for T-functions; 

• Section [3] states our main two results (see Appendix ?? for proofs); 

• Section [3] discusses applications to T-function-based stream ciphers; 

• we conclude in Section [S] 



In this section we introduce basics of what can be called a non- Archimedean approach to T-functions. 
We start with a definition of a T-function and show that T-functions can be treated as continuous functions 
defined on and valued in the space of 2-adic integers. Therefore we introduce basics of 2-adic arithmetic 
and of 2-adic Calculus that we will need to state and prove our main result. There are many comprehensive 
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2. The 2-adic theory of T-functions: brief survey 
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monographs on p-adic numbers and p-adic analysis that contain all necessary definitions and proofs, see 
e.g. [m [551 [33] or introductory chapters in [Hj; so further in the section we introduce 2-adic numbers in a 
somewhat informal manner. 

It worth noting here that the theory of T-functions (which actually are functions that satisfy a Lipschitz 
condition with a constant 1 w.r.t. 2-adic metric) was developed by mathematicians during decades prior to 
first publication of Klimov and Shamir on T-functions |17j in 2003, and in a much more general setting, for 
arbitrary prime p, and not only for p — 2. Moreover, various criteria of invertibility and single cycle property 
of T-functions were obtained within p-adic ergodic theory (see e.g. [Zl|4]) nearly a decade prior to the first 
publication of Klimov and Shamir on T-functions |17j : Actually a T- function / is invertiblc if and only if 
it preserves Haar measure on 2-adic integers, and / has a single cycle property if and only if it is ergodic 
w.r.t. the Haar measure. Unfortunately, cryptographic community were not aware of that work done by 
mathematicians although in various papers there was directly pointed out that these functions might be useful 
to cryptography, see e.g. |4l[7l[5l[6]. To the moment, there exists a well developed mathematical discipline, the 
p-adic ergodic theory, a part of the non- Archimedean dynamics, and various crucial cryptographic properties 
of T-functions can be studied, properly understood and explained within this theory. Moreover, the theory 
has a well-developed tools to study cascaded compositions that include T-functions along with other standard 
cryptographic primitives (e.g., LFSRs): the compositions can be treated as wreath products of dynamical 
systems, and single cycle property of the composition is just ergodicity of the corresponding dynamical 
system, the wreath product. So the present paper serves an example of how effective are tools of the 
mentioned theory in a study of concrete cryptographical properties. For further reading on the theory as 
well as on its applications to cryptography (and to other sciences) readers are referred to monograph [3]. 

2.1. T-functions. An n-variate T-function is a mapping 

(2.1) (ai, at, ai . . .) ^ ($i (af^) , $t (a^ a\) , <f ^ {a^ aj, a^) , . . .) , 

where aj 6 is a Boolean columnar n-dimensional vector over a 2-element field F2 = {0, 1}, and 

*t : (1^2 )'+^ ^ 

maps (j + 1) Boolean columnar n-dimensional vectors Q!q, . . . , to m-dimensional columnar Boolean vector 
$^ (^af,, . . . , aj^ ■ Accordingly, a univariate T-function / is a mapping 

(2.2) (xo;xi;x2; . . .) ^4 (?Ao(xo);'0i(xo,xi);'02(xo,xi,X2); • ■ ■), 

where Xj G {Oi l}j ^-nd each '0i(xO) ■ ■ ■ y Xj) is a Boolean function in Boolean variables xo, ■ ■ ■ , Xj- T-functions 
may be viewed as mappings from non- negative integers to non- negative integers: e.g., a univariate T-function 
/ sends a number with the base-2 expansion 

Xo + XI • 2 + X2 • 2^ -f • • • 

to the number with the base-2 expansion 

'0o(Xo) +^i(Xo,Xi) •2-K-02(xo,Xi,X2) -2^ H 

Further in the paper we refer to these Boolean functions V'o j V'l ) ''/'2 j • ■ • as coordinate functions of a T-function 
/. If we restrict T-functions to the set of all numbers whose base-2 expansions are not longer than k, we 
sometimes refer to these restrictions as T-functions on k-bit words: We usually associate the set of all k-hit 
words to the set {0, 1, . . . , 2*^ — 1} of all residues modulo 2^^; the latter set constitutes the residue ring Z/2^Z 
modulo 2'"' w.r.t. modulo 2'' operations of addition and multiplication. 

The determinative property of T-functions (which might be used to state equivalent definition of a T- 
function) is compatibility with all congruences modulo powers of 2: Given a (univariate) T-function /, 

(2.3) if a = 6 (mod 2^) then /(a) = f{b) (mod 2"). 

Vice versa, every compatible map is a T-function. 

Important examples of T-functions are basic machine instructions: 

• integer arithmetic operations (addition, multiplication,. . . ); 

• bitwise logical operations (V, ©, A, ->); 

• some their compositions (masking, shifts towards high order bits, reduction modulo 2^^). 
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Since obviously a composition of T-functions is a T-function (for instance, any polynomial with integer 
coefficients is a T-function), the T-functions are natural functions that can be evaluated by digital computers. 

2.2. 2-adic numbers and 2-adic Calculus. As it follows directly from the definition, any T-function 

is well-defined on the set Z2 of all infinite binary sequences . . . S2{x)Si{x)So{x) = x, where Sj{x) e {0, 1}, 

j = 0,1,2, Arithmetic operations (addition and multiplication) with these sequences could be defined 

via standard "school-textbook" algorithms of addition and multiplication of natural numbers represented by 
base-2 expansions. Each term of a sequence that corresponds to the sum (respectively, to the product) of 
two given sequences could be calculated by these algorithms within a finite number of steps. 

Thus, Z2 is a commutative ring with respect to the so defined addition and multiplication. The ring Z2 
is called the ring of 2-adic integers. The ring Z2 contains a subring Z of all rational integers: For instance, 
. . . Ill = —1, since 

nil 
^ . . .0001 
. . .0000 

Moreover, the ring Z2 contains all rational numbers that can be represented by irreducible fractions with 
odd denominators. For instance, the following calculations show that . . . 01010101 x . . . 00011 = . . . Ill, i.e., 
that . . . 01010101 = -1/3 since . . . 00011 = 3 and ... Ill = -1: 



...010101 
^ ...000011 

. . .010101 
+ ...10101 

...mill 

Sequences with only finite number of Is correspond to non-negative rational integers in their base-2 

expansions, sequences with only finite number of Os correspond to negative rational integers, while eventually 
periodic sequences (that is, sequences that become periodic starting with a certain place) correspond to 
rational numbers represented by irreducible fractions with odd denominators: For instance, 3 = . . .00011, 
-3 = ...11101, 1/3 = ...10101011, -1/3 = ...1010101. So the j-th term Sj{u) of the corresponding 
sequence u € Z2 is merely the j-th digit of the base-2 expansion of u whenever u is a non- negative rational 
integer, u G Nq = {0, 1,2,.. .}. 

What is important, the ring Z2 is a metric space with respect to the metric (distance) d2{u,v) defined by 
the following rule: d2{u,v) = \\u — v\\2 = 1/2", where n is the smallest non-negative rational integer such 
that 5n{u) ^ Sn{v), and d2{u,v) = if no such n exists (i.e., if u = v). For instance ^2(3, 1/3) = 1/8. The 
function d2{u, 0) = [|u,||2 is the 2-adic absolute value of the 2-adic integer 7i, and ord2 u = — log2 IIM2II2 is the 
2-adic valuation of u. Note that for m S Nq the valuation ord2 u is merely the exponent of the highest power 
of 2 that divides u (thus, loosely speaking, ord2 = 00, so ||0||2 = 0). 

Now we can represent every 2-adic integer x = . . . 62{x)Si{x)5o{x) (where 6i{x) G {0, 1}, i = 0, 1, 2, . . .) as 
the series 

C30 

(2.4) a; = ^<5,(a;)-2'; (where ^^(a;) e {0, l},i = 0, 1, 2, . . .). 

i=0 

The series in the right-hand side are called canonical 2-adic expansion of the 2-adic integer x; the series 
converges to x with respect to the 2-adic metric. 

Although T-functions are maps from 2-adic integers to 2-adic integers, we also introduce here 2-adic 
numbers whic are not necessarily 2-adic integers. Denote Q2 the set of all series of the form u = Y^^-k ' 
for all k = 0, 1, 2, . . . and all a_fc, a_fe+i, ... € {0, 1, }. In a way similar to that wc have defined addition 
and multiplication on Z2, we define these operations on Q2; the set Q2 with respect to the so defined 
addition and multiplication is a field of 2-adic numbers, whereas Z2 is a ring of integers of this field. The 
absolute value [| • II2 can be expanded to the whole field Q2 (by setting ||u||2 = 2~^ where t is the smallest 
of j = —k, —k -|- 1, . . . such that aj ^ 0); so Q2 is a metric space, and the 2-adic absolute value || • ||2 satisfy 
all usual axioms. In particular, given a, 6, c G Q2, 

(1) ||a-&||2 = ||a||2-||6||2, 

(2) \\a — c\\2 < \\a — b\\2 + \\b — c\\2 (the triangle inequality). 
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It worth noting here that for the 2-adic metric the triangle inequahty actuaUy holds in a stronger form: 

||a ^ c||2 < max{||a — b\\2, \\h — c||2} (the strong triangle inequality), 

for all a, 6, c, G Q2- Now metric on the n-th Cartesian power Q2 of Q2 can be defined in the following way: 
II (ai, . . . ,a„) - (61, . . . ,6„)||2 = max{||ai - fei||2 : i = 1, 2, . . . , n} for every (ai, . . . , a„), (&i, . . . ,fo„) e 

Once the metric is defined, one defines notions of convergent sequences, limits, continuous functions on 
the metric space, and derivatives if the space is a commutative ring. For instance, with respect to the 2-adic 
metric the following sequence tends to —1: 

1,3, 7,15,31,. ..,2" - 1,... ^ -1. 

Derivations of a function /: Z2 — ^ Z2, which is defined on and valuated in the space Z2 of 2-adic integers, 
may be defined in a standard way as in classical (e.g., real) Calculus just by replacing real absolute value | ■ | 
by the 2-adic absolute value || ■ II2, as follows: 

Definition 1 (2-adic differentiability). The function f is said to be differentiable at the point x € Z2 
{and the 2-adic number f'{x) € Q2 is said to be its derivative at the point x) if and only if for arbitrary 
M gN — {1,2, . . .} and sufficiently small (w.r.t. the 2-adic absolute value) h the following inequality holds: 

f{x + h)-f{x) 
h 

Reduction modulo 2" of a 2-adic integer v, i.e., setting all terms of the corresponding sequence with 
indexes greater than n — 1 to zero (that is, taking the first n digits in the representation of v) is just an 
approximation of a 2-adic integer w by a rational integer with precision 1/2": This approximation is an 
n-digit positive rational integer v A (2" — 1); the latter will be denoted also as v mod 2". 

Actually a processor works with approximations of 2-adic integers with respect to 2-adic metric: When an 
overflow happens, i.e., when a number that must be written into an n-bit register consists of more than n 
significant bits, the processor just writes only n low order bits of the number into the register thus reducing 
the number modulo 2". Thus, precision of the approximation is defined by the bitlength of the processor. 



< 
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2.3. 2-adic continuity of T-functions. What is most important within the scope of the paper is that all 
T-functions are continuous functions of 2-adic variables since all T-functions satisfy Lipschitz condition with 
a constant 1 with respect to the 2-adic metric^ and vice versa. 

Indeed, it is obvious that the function /: Z2 -^1^2 satisfy the condition ||/(m) — /(i')||2 < H"" — w||2 for 
all u,u € Z2 if and only if / is compatible, since the inequality ||a — &II2 < 1/2*^ is just equivalent to the 
congruence a = 6 (mod 2^). A similar property holds for n-variate T-functions (we just use the metric || • II2 
on the n-Cartesian power ). So we conclude: 

T-functions — compatible functions = 1 -Lipschitz functions 

This implies in particular that given a T- function /: Z2 — Z2 and n € N, the map / mod 2" : z M- /(z) mod 
2" is a well-defined transformation of the residue ring Z/2"Z = {0, 1, . . . , 2" — 1}; actually the reduced map 
/ mod 2" is a T-function on rt-bit words. 

The observation we just have made indicates why the the 2-adic analysis can be used in a study of T- 
functions. For instance, one can prove that the following functions satisfy Lipschitz condition with a constant 
1 and thus are T-functions (and so also be used in compositions of cryptographic primitives): 

• subtraction: [u, v) ^ u — v; 

• exponentiation: {u,v) M- (1 4- 2u)"; 

• raising to negative powers, u {1 + 2m)^"; 

• division: {u,v) Yp5^- 

We now consider derivations of T-functions. We first note that as a T-function is mere a 1-Lipschitz 
function w.r.t. 2-adic metric, once the derivative exists, the derivative must be a 2-adic integer. That is, for 
the case of T-functions we can re-state Definition [1] in the following equivalent form: 

Definition 2 (differentiability of T-functions) . A T-function / : Z2 — >■ Z2 is said to be differentiable at the 
point X G Z2 {and the 2-adic number f'{x) £ Z2 is said to be its derivative at the point x) if and only if for 



6 



TAO SHI, VLADIMIR ANASHIN, AND DONGDAI LIN 



arbitrary M d N — {1,2, . . .} and sufficiently small (w.r.t. the 2-adic absolute value) /i G Z2 the following 
congruence holds: 

f{x + h) = f{x) + fix) ■ h (mod 2"^^^ ''+^') 

Example 1 (differentiabihty of A). The function f{x) — x A c is differ entiahle at every x G Z2 for any 
c G and 



0, ifc> 0; 

1, i/c<0. 



fix) 

Proof. Indeed, take n greater than the bitlength of |c| (that is, n > logj |c| + 1); then for ah s G Z2 

/(x + 2"s)=. 



fix) ,ifc>0, 
fix) + 2"s , if c < 0, 



□ 



In the same manner we can fill the rest of the table of derivations of logical T-functions: 
Example 2 (derivations of other logical T-functions). Let c G Z, then for every a; G Z2 

/oK\ t V 1 m \' J 1' «/c>0; , Jl, j/c>0; 

(2.5) -ix) =-1; (a; © c) = < (x V c) = < 

^ ' ' ^ ' [-1, ifc<0. ^ ' \0, ifc<0. 

Note that rules of derivations (e.g., chain rule) do not depend on metric; thus they are the same both in 
a classical and in a 2-adic cases, so applying the rules one can find derivatives of T-functions that are used 
in stream ciphers: 

Example 3 (derivative of the Klimov-Shamir T- function). 

[x + ix^ V 5))' = 1 + 2x 

Now with the use of Definition [2] we define the notion of uniform differentiability of a T-function in the 
same way as in classical Calculus: 

Definition 3 (uniform differentiability). A T-function /: Z2 — > Z2 is called uniformly differentiable (or, 
equidifferentiable) iff for every sufficiently large il/ G N there exists if G N such that once \h\2 ^ (that 
is, once /i = (mod 2^)), the congruence 

fix + h) = fix) + fix) ■ h (mod 2"'^^ ^+^'^) 

holds for all x G Z2. Given M , the minimum K = KiM) with this property is denoted via N^jif)- 

For instance, it can be easily verified that Klimov-Shamir T-function fix) = x + (.t^ V 5) is uniformly 
differentiable and 7Vm(/) = M. 

Now we introduce another notion related to differentiability that has no direct analogs in classical Calculus. 

Definition 4 (differentiability modulo 2^^). Given M G N, a T-function /: Z2 — ?• Z2 is said to be dif- 
ferentiable modulo 2^'^ at the point x G Z2 (and the 2-adic integer f'j^.jix) G Z2 is said to be its derivative 
modulo 2*^ at the point x) if and only if for a sufficiently small (w.r.t. the 2-adic absolute value) /i G Z2 
the following congruence holds: 

fix + h) = fix) + fix) ■ h (mod 2°-^^=^ ^+^''). 

Definition 5 (uniform differentiability modulo 2^^). Given M E "Z, a T-function /: Z2 '&2 is called 
uniformly differentiable modulo 2*^ iff there exists K E N such that once \h\2 ^ (that is, once h = 
(mod 2^)), the congruence 

fix + h) = fix) + fix) ■ h (mod 2°'-'*^ ''+*=f) 
holds for all x G Z2. The minimum K — KiM) with this property is denoted via NMif)- 
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Note that the notion of derivative modulo 2 is somewhat Uke saying 'a derivative with a precision of M 
digits after the point' in classical Calculus; however, the latter in real Calculus is meaningless, whereas in 
2-adic Calculus the phrase has a precise mathematical meaning. 

From Definition |4] it readily follows that the derivative modulo 2*^ is defined up to a summand which is 
modulo 2^^; that is, if a T- function /: Z2 — ^ Z2 is uniformly differentiable modulo 2^^ then its derivative 
modulo 2^^ is a map from Z2 into the residue ring Z/2^^Z. Furthermost, it can be proved (see [3]) that a 
derivative modulo 2™ is a periodic function with a period of length 2^'^''^^\ Thus we state 

Proposition 1 (derivatives modulo 2*^). // a T-function f is uniformly differentiable modulo 2*^, then its 
derivative modulo 2*^ is a periodic function with a period of length 2'^" ; so the derivative can be considered 
as a map from the residue ring Z/2"'^*^*^'^)Z to the residue ring Z/2*^Z. 

Rules of derivation modulo 2*^ are of a similar form to that of the classical case; however, they are 
congruences modulo 2^^ rather than equalities. 

Example 4. The T-function f{x) — x® (—1/3) is uniformly differentiable modulo 2*^ if and only if M — 1; 
its derivative modulo 2 is 1, and A^2(/) = 1- If M > 1 then f is differentiable modulo 2*^ at no point. 

From Definition 2] it immediately follows that 

• if a T-function is differentiable modulo 2^^+-'^ then it is uniformly differentiable modulo 2^^; 

• a T-function is uniformly differentiable iff it is uniformly differentiable modulo 2*^ for all M e N. 
Thus, we have the following hierarchy of classes of uniform differentiability: 

where 1)i is the class of all T-functions that are uniformly differentiable modulo 2*, i = 1, 2, 3, . . ., and 2)oo 
is a class of all uniformly differentiable T-functions. It turns out that the T-functions of most interest to 
cryptography, the ones that are invertible, all lie in Di; that is, they all are uniformly differentiable modulo 
2. 

2.4. Differentiability, invertibility and single cycle property. Given n e N, a T-function /: Z2 ^ Z2 
is said to be bijective modulo 2" iff it is invertible on n-bit words; that is, iff the reduced map / mod 
2": Z/2"Z Z/2"Z is a permutation on the residue ring Z/2"Z. Similarly, a T-function /: Z2 Z2 is 
said to be transitive modulo 2" iff it is a single cycle on n-bit words; that is, iff the reduced map / mod 
2" : Z/2"Z Z/2"Z is a permutation on the residue ring Z/2"Z with the only cycle (hence, with the cycle 
of length 2"). 

Definition 6. We say that a T-function /; Z2 — )■ Z2 is bijective iff it is bijective modulo 2" for all n G N; 
we say that f is transitive iff f is transitive modulo 2" for all n £ N. 

Actually the above definition is a theorem that is proved in the p-adic ergodic theory: transitive T- 
functions are exactly 1-Lipschitz ergodic transformations on Z2, whereas bijective T-functions are measure- 
preserving isometrics of Z2 (see [3 ). For not to overload the paper we are not going to give a deeper look 
into the p-adic ergodic theory; within the scope of the paper the above definition is sufficient. The point is 
that for some T-functions bijectivity (resp., transitivity) modulo 2" for some n e N implies their bijectivity 
(resp., transitivity); that is, under certain conditions, if a T-function is invertible (resp., has a single cycle 
property) on n-bit words for some n £ N, then it is bijective (resp, transitive) invertible (resp., has a single 
cycle property) on n-bit words for all n £ N. For proofs of rest claims of the section readers are referred to 
monograph [3]. 

Proposition 2. // a T-function /: Z2 — ^ Z2 is bijective then it is uniformly differentiable modulo 2 and its 
derivative modulo 2 is 1 everywhere: f2{x) = 1 (mod 2) for all a; G Z2 (equivalently, for all x G 'Z/2^'-^^^'E). 

Theorem 1. Let a T-function f be uniformly differentiable modulo 2. Then f is bijective iff f is bijective 
modulo 2-^^^^") and /.^(a;) = 1 (mod 2) everywhere. Equivalently: if and only if f is bijective modulo 2-^^'^^^'^^. 

Theorem 2. Let a T-function f be uniformly differentiable modulo 4- Then f is transitive iff f is transitive 
modulo 2^^(-f'>+^. 



Example 5. The Klimov-Shamir T-function f{x) = x + (x'^ V 5) is transitive. 
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Proof. Indeed, / is uniformly differentiable, N2{f) — 2; so it sufBces to check whether the residues modulo 16 
of 0, /(O), /■^(O) = /(/(O)), . . . , /^^(O) are all different. This can readily be verified by direct calculations. □ 

It worth noting here that all transitive (as well as all bijective) T-functions can be represented in a certain 
'explicit' form: 

Theorem 3 ([5], also [21 Theorem 4.44]). 

• A T-function /: Z2 — >■ Z2 is bijective if and only if it is of the form f{x) = c + a: + 2g{x), where g 
is an arbitrary T-function, c G {0, 1}. 

• A T-function /: Z2 — S> Z2 is transitive if and only if it is of the form f{x) = \ + x + 2{g{x + \)—g{x)), 
where g is an arbitrary T-function. 

2.5. Properties of coordinate sequences. Given a transitive T-function /: Z2 — ?> Z2 and a 2-adic integer 
a;o e Z2, consider i-th coordinate sequence {Si{f-' {xo))°^q. The sequence satisfies recurrence relation (|l.ip : 
that is, the second half of the period of the j-th coordinate sequence is a bitwise negation of the first half; 
so the shortest period (which is of length 2*+^) of the sequence is completely determined by its first 2' bits. 
It turns out that given arbitrary T-function /, the first half's of periods of coordinate sequences should be 
considered as independent, in the following meaning: 

Theorem 4 (The independence of coordinate sequences). Given a set 5o, 5i, 52, • • • of binary sequences 
Si ^ {Qfjo^ of length 2\ i = 0, 1, 2, . . there exists a transitive T-function f and a 2-adic integer Xq £ Z2 
such that each first half of each i-th coordinate sequence is the sequence Si, i = 0, 1, 2, . . .; 

Siifixo)) = 0, for all j = 0, 1, . . . , 2' - 1. 

The essence of our contribution is that coordinate sequences of a transitive T-function that is uniformly 
differentiable modulo 4 o-re not independent any longer: there are linear relations among them. 

3. Main results: statements 

Given a transitive T-function /: Z2 — ?> Z2 and the initial state xq £ Z2, for i = 0, 1, 2, . . . denote Xi = 
P{xo)^ Xn = <5i(/"(2;o)), the n-th digit in the canonical 2-adic expansion of the n-th iterate of xq. That is, 
the binary sequence {Xn)i^o is the n-th coordinate sequence of the recurrence sequence determined by the 
recurrence law x^+i — f{xi). 

3.1. Linear relation. Our first result yields that if a transitive T-function is uniformly differentiable modulo 
4 then two adjacent coordinate sequences satisfy linear relation of form (|1.2|) : 

Theorem 5. Let a transitive T-function f be uniformly differentiable modulo 4. Given xq G Z2, for all 
n > N2{f) + 1 the following congruence holds: 

(3.1) Xn^'"" =Xn-i+xl+xl-i+Xr.+x'r' +y{^) (mod2). (* = 0,1,2,...), 

The length of the shortest period of the binary sequence 

(2/(0)^0 is2^,0<K < N2(f). Furthermost, 7(1) 

does not depend on n. 

Proof. See Appendix lA.il □ 

Note that if a T-function is transitive then by Proposition [2] it is uniformly differentiable modulo 2; so 
conditions of Theorem [5] seem not too restrictive: we only demand that the T-function lies in the second 
large differentiability class J) 2 whereas it already lies in the largest one (i.e., in Si) due to transitivity. 

As both polynomial T-functions (the ones represented by polynomials over Z2) and the Klimov-Shamir 
T-function (of the form x -f (z^ V C), C G Z) are uniformly differentiable (thus, lie in 2) 00 and whence 
in 2)2), our Theorem [5] could be considered as a generalization of results due to Jin-Song Wang and Wen- 
Feng Qi, [38], and to Molland and Helleseth, [30l[31]. However, the class of transitive T-functions that are 
uniformly differentiable modulo 4 (thus, the class of T-functions that satisfy our Theorem [5]) is much wider: 
for instance, it contains all T-functions of forms f{x) = u{x) -\- 4 • v{x) and f{x) = u(x -\- 4 • v{x)), where u 
is a transitive T-function that is uniformly differentiable modulo 4 and v is an arbitrary T-function, see [3] 
Proposition 9.29]. In particular, this implies that a monster T-function from ()1.3|) satisfies Theorem[5l 
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Moreover, given an arbitrary T-function g that is uniformly difFerentiable modulo 2 (say, given a bijective 
T-function g), the T-function f{x) = 1 + x + 2(g{x + 1) — 9ix)) is transitive and uniformly differentiable 
modulo 4; cf. Theorem [3l 

These examples serve to demonstrate how large is the class of T- functions that satisfy Theorem [S] More 
specific examples of the latter functions can be constructed with the use of various techniques of non- 
Archimedean analysis, see [3]- For instance, exponential functions of the form f{x) = ax + , where a = 1 
(mod 2), are uniformly differentiable and transitive, as well as rational functions of the form f{x) = ]Tp^~j^j 
where u is a transitive polynomial and v is arbitrary T-function. We remind that a polynomial over Z2 is 
transitive iff it is transitive modulo 8. 

3.2. Quadratic relation. Our second result yields that if a T-function lies in the third largest differentia- 
bility class 2)3 then there exist a quadratic relation among three adjacent coordinate sequences: 

Theorem 6. Let the ergodic T-function f be uniformly differentiable modulo 8. Given xq 6 Z2, for all n > 
^sif) + 2 the following congruence holds: 

(3.2) Xlt^"'' =Xn^2Xn-l+0{n){xl,.2+Xn-l)+Xn + y^ (mod2), (* = 0, 1, 2, . . .), 

where 9{n) G {0,1} does not depend on i. Furthermost, the length of the shortest period of the binary 

sequence (yi)^o*'^ ^ 

factor of2'^^^f^ tf N3{f) > 1. 

Proof See Appendix IA.2I □ 

As the Klimov-Shamir T-function f{x) = x + (x^ V C) for C G Z, is uniformly differentiable, it satisfy 
Theorem ini once it is transitive, i.e., once C = 5 (mod 8) or C = 7 (mod 8); thus, Theorem [5] may be 
considered as a generalization of a result of Yong-Long Luo and Wen-Feng Qui [17] who proved quadratic 
relation for the Klimov-Shamir T-function. 

4. Application to T-function-based stream ciphers 

In this section we discuss how relations and p.2|) from Theorems [5] and [6] may be used to attack 

stream ciphers that use T-functions to generate pseudorandom sequences. We do not construct attacks 
themselves, we only point out some approaches that may result in the attacks. We consider mostly the 
linear relation; however, one may use the quadratic relation as well, by analogy. 

Basically a stream cipher is a pseudorandom generator where the produced binary sequence is used as a 
keystream, i.e., is XOR-ed with a plaintext to encrypt a message. A pseudorandom generator (PRG) can 
be thought of as an algorithm that takes at random a short initial binary string, the key, and stretches it to 
a much longer binary sequence, the keystream, which looks like random, that is, passes a set of reasonable 
tests in a reasonable time. A stream cipher must withstand various cryptographic attacks. 




Figure 1. Pseudorandom generator 

Basically a PRG can be considered as an automaton with no input (see Figure [T]) , where initial state 
xq G {0, 1, . . . , 2*^ — 1} is a key, or is produced during the 'warming-up' stage from the key and IV, the initial 
vector. We assume that the state transition function f is a T-function on k-bit words. Moreover, / (as 
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well as the output function F) may depend on a key, or even may change during the encryption procedure, 
that is actually the recurrence law is x^+i = fi{xi). In the latter case, the corresponding generator is called 
counter- dependent [37 ; and we assume that all fi are T-functions on fc-bit words. Foremost, they may be 
multivariate T-functions as well, and not necessarily univariate ones. 

Our second basic assumption yields that one knows sujficiently long segments of two coordinate sequences 
(Xn-i)i^o s-nd (Xn)i^o ri < k — 1, oi the state sequence (xi)^o- In. this Section, we explain how under 
these assumptions one can recover low order coordinate sequences {Xm)'^o /'^'^ m < n — 1. After explaining 
general method in Subsection 14.11 for the case of univariate transitive T-function, we apply the method to 
multivariate transitive T-functions (Subsection 14. 2p and to counter-dependent generators (Subsection 14. 3p . 

4.1. General method. Assume that the state transition function / does not depend on i, and assume that 
/ is a reduction modulo 2'' of a univariate transitive T-function /; Z2 — > Z2 (i.e., f = f mod 2'') which is 
uniformly differ entiahle modulo 4 so that N2{f) <n — l<k^\. It can be shown (see e.g. the example 
at the end of I4.2.2p that, given a T-function / which is transitive on fc-bit words, transitive T-functions 
/: Z2 ^> Z2 which are uniformly differentiable modulo 4 and such that / = / mod 2^ always exist; however, 
the core of our assumption is that the number A'^2 = N2Q) must be sufficiently small: A'^2<n- — l<fc — 1. 

We stress that in most cases the latter assumption is not too restrictive: e.g., for polynomials with integer 
coefficients we have that A^2 < 2, whereas for the Klimov-Shamir T-function x -\- {x^ V 5) we have that 
N2 = 2; and we have A^2 = 1 for monster T-function (|1.3p . Note that although for Klimov-Shamir T- 
function x + (x^ V C), C £ Z, which is uniformly differentiable if C e No, the number A^2 depends on the 
length of binary representation of |C|, in practice only small C should be used (e.g., C = 5) since distribution 
properties of the Klimov-Shamir T-function are the poorer the more 1-s are in the 2-adic representation of 
C: For instance, if C < then 2-dimensional distribution properties of output sequence of corresponding 
Klimov-Shamir generator are practically the same as the ones for the transitive T-function a; M> x — 1, see 
|35| for a comprehensive study of distribution properties of Klimov-Shamir generators; some information 
about these can also be found in [3l Section 11.1]. 

In practice, to construct a T-function / given the T-function / we should do absolutely nothing since 
actually / is just an expansion of / to the whole space Z2: for instance, if / is a polynomial with integer 
coefficients (or Klimov-Shamir T-function x + {x^ V C), or monster T-function (|1.3p . etc.), then / is just 
the same polynomial (Klimov-Shamir T-function, monster T-function) considered over a larger domain, 
Z2 rather than Z/2*=Z. Thus, our basic assumption just yields that the transitive T-function / must be 
uniformly differentiable modulo 4 and N2{f) must be sufficiently small, at least, smaller than fc — 2; then we 
can recover coordinate sequences (Xm)i^o for m = n — 2, n — 3, . . . , N2{f)- Of course, to recover the whole 
m-th coordinate sequence we just have to recover its first 2™^^ terms due to the property (11.11) . 

We now proceed with all these assumptions in mind. 

4.1.1. The method for a univariate T-function. We proceed as follows. 

(1) Given first 2" bits of coordinate sequences (x^-i)i^o (Xn)iSoj ^i^d the sequence (2/(«))?=o 
by solving equations (|3.ip w.r.t. y{i)- 

(2) As by TheoremOthe sequence (y(i) does not depend on n, having {y{i))1^Q ~^ and solving equations 
(|3.ip for n := n — 1 and i = 0, 1, 2, . . . , 2"^^ — 1 we find two sequences iS°_2 and 5,j_2 of solutions 
(Xra-2)?=o ^^'5 ^'^^^ sequence 5^_2 of solutions corresponds to the choice x^_2 — whereas 
the second one, 5^_2, corresponds to the choice Xn-2 = 1 in equation p.l|) . Therefore the two bit 

sequences S'^^_2 and S\_2 ^'"^ mutually complementary, S'^^_2 ® = (f)?=o that is, the sum 
of the i-th term of the first sequence with the i-th term of the second sequence is always 1 modulo 
2, for ah i = 0, 1, 2, . . . , 2"-2 - 1. Now to find fufi period Sn-2 = (Xn-2)?Io'~^ of the {n - 2)-th 
coordinate sequence (Xn-2)i^o use relation (|l.ip (which yields that Xn^^2 = Xn-2 + f (mod 2) 
in the case under consideration) to continue finite sequences S^_2 and S\_2, which actually are two 
variants of the first half-period of the {n — 2)-th coordinate sequence 5„_2, to full periods, of length 
2"~i; we keep the same notation for these two variants of the full period, i.e., 5°_2 ^-nd S^_2- Thus 
we find two solutions for the full period of (n — 2)-th coordinate sequence Sn-2, namely, S^^_2 and 
S\_2j ^'^'^ solutions are mutually complementary: Sj^_2 ® S\_2 — (f)^=o 
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(3) Next, given the sequence {y{i)) and two variants iS°_2 and Sl^_2 of the (n — 2)-th coordinate sequence, 
we find a pair of mutuahy complementary sequences 5^_3 and S}^_^ for either of iS°_2 ^-^d 5^_2 by 
solving equation (j3.1l) for n := n — 2 w.r.t. indeterminate Xn-3- However, among these 4 obtained 
variants of the first half-period of the (n — 2)-th coordinate sequence there are only two different 
(depending on the value of Xn-2 ® Xn-a) ^^'^ they are mutually complementary. Thus, at this step 
we again obtain two solutions, iS"_3 and S^_^, for the full period of the {n — 3)-th coordinate sequence 

Sn~3, and the solutions are mutually complementary: iS^_3 ® S^_^ — (l)^^o 

(4) Proceed with n := n — 3, etc. 
Two important remarks should be made: 

• As the T-function / is uniformly differentiable modulo 4, at every step j we recover two variants 
of the first half of a period of the (n — j)-th coordinate sequence rather than 2^" ' variants for a 
general transitive T-function /, cf. Theorem |4l and the two variants are mutually complementary, 
so actually we need to recover only one of these variants; so at each step j we just solve 2"^^ — 1 
linear Boolean equations (|3.ip . for i = 1, 2, . . . , 2"~^ — 1, each of one Boolean indeterminate, Xn-j- 

• Nowhere in the algorithm we used the T-function / by itself, e.g., its explicit representation in a 
certain form; we used only the fact that f is transitive and uniformly differentiable modulo 4- 

4.2. The case of multivariate T-functions. We firstly stress that a multivariate transitive T-function 
that is uniformly differentiable modulo 2 (thus, modulo 4) does not exist, see 3, Theorem 4.51]; and secondly, 
that all known multivariate transitive T-functions actually are just multivariate representations of univariate 
transitive T-functions, see [3l Section 10.4]. We briefly explain now what are the latter representations. 

A transitive multivariate T-function is a map of form (|2.ip from the n-th Cartesian power of the space 
Z2 to its m-th Cartesian power Z™ where m = n. Loosely speaking, we can consider an element of Z™ as 
a table of m one-side infinite binary rows 2;^°-', . . . , x'™"^-' (say, stretching from left to right). To this table, 
we put into the correspondence infinite binary string (that is, a 2-adic integer from Z2) obtained by reading 
successively elements of each column of the table, from top to bottom and from left to right. Thus we 
establish a one-to-one correspondence B between Z™ and Z2. Now, given a transitive univariate T-function 
/ of form (12. 2[) and using the correspondence, we construct an m-variate transitive T-function f : Z™ — ^ Z™: 
If 

X = (xo;xi;x2; ■■■)^ (V'o(xo); V'i(xo,xi); V'2(xo,xi,X2); ■ • ■) 

then f = (/i(o), . . . , is defined as follows: 

(4.1) 

2;^"^ =(X0 ; Xm ; X2m; ••• (i^oix) ; Ipmix) ; 1p2mix) ] ■ . ■ ) 

a;'^^ =(xi ; Xm-Hi ; X2m+i; •■• )''^ {ipi{x) ; i^m+iix) ; 'lp2m-\-l{x); ... ) 



a;'™ =(Xm-i ; X2m-i ; xsm-i; ■•■ )''*-> {tpm-iix) ; V2m-i(a;) ; tpsm-iix); ... ) 

where x''*^\ . . . , x^"^~^^ are new 2-adic variables, 4'jix) = V'jXxoi ■ • ■ : Xj): J = 0,1,2,.... We stress that 
known multivariate transitive T-functions from |181 114) are based on representations of this sort of univariate 
transitive T-functions; and that these are multivariate T-functions that are used in the design of ciphers 
Mir-1 [29], ASC [39], TF-i family [19], and TSC family [15]. 

To apply our basic approach 14. l.ll to a multivariate T-function f of this sort, the corresponding univariate 
T-function / must be uniformly differentiable modulo 4. However, even this is not the case, we can consider 
a conjugated univariate T-function /™ which is uniformly differentiable modulo 4. Indeed, all univariate 
transitive T-functions are mutually conjugated: Given a pair of transitive T-functions u,v: Z2 — ?> Z2; there 
exists a bijective T-function w: Z2 — ^ Z2 such that u — v'" — w^^ ovow, where o stands for composition of 
functions (see e.g. jl3|). Now, if we know the conjugating function w we can apply method 14.1.11 

4.2.1. The method for multivariate T-functions. Denote B : Z™ — > Z2 the above one-to-one correspondence 
between Z™ and Z2; thus, given a transitive m-variate T-function f = {h^^\ . . . , h^™~^'>) : Z™ — ^ Z™ of form 
()4.1|) . the corresponding univariate T-function is/ = f^ = BoioB^^ . Now let g be a univariate T-function 
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for which relations (I3.ip holds. As f — for a suitable T- function / : Z2 ^ Z2 (we assume that w is known), 
then the i-th term of the output sequence (xi)^Q of the generator with the recursion law Xi+i = f(xi), 
Xi = {x\^\ . . . can be represented as x^ = f*(xo) = B~^{w~^{g^{w{B{:iiQ))))). Therefore, as for g 

linear relations p.ip hold, we can use them to recover coordinate sequences of the sequence (xi)^Q since 

wiB{^,)) ^ g^wiBi^o))- 

In other words, rather than trying to recover coordinate sequences of the generator with the recursion law 
Xi+i — f(xi) and with initial state xq we can study coordinate sequences of the generator with the recursion 
law Xi — g{xo) with the initial state xq = w{B{'x.o)) and with a bijective output function B~^ o w~^. 

Basically the approach will work if the output function B~^ ow~^ is known. However, the bijective output 
function B~^ o can be considered as "known" if w is easy to find and easy to invert; i.e., 

• if it is easy to find the conjugating T-function w given T-functions / and g which are conjugated via 
w: f = g^ (in particular, w must admit then a "short" representation in some form); and 

• if, given w, it is easy to find the inverse T-function such that wow~^ is an identity transformation 
(in particular, this means that w^^ admits a "short" representation as well). 

Indeed, B is just "concatenation of columns": it maps m strings (2-adic integers) x'"', . . . ,a;^™~^-' (see 
the left side of dUI])) to a single string (a 2-adic integer) x = (xo; Xi; • ■ • ; Xm-i; Xm; • ■ • ; X2m-i; X2m; ■ • ■); so 
the inverse _B~^ is just "cutting a single string into columns of height m", which is easy. 

Finding w from the equation f = g^ may be an infeasible task: Although, given two single cycle permu- 
tations / and g on some finite set, one may find all conjugating permutations w by solving the equation by 
Cauchy method, direct application of the latter will take exponentially long time since in our case the set 
is of order 2*^™ (if we consider an m-variate T-function on fc-bit words). Also, given a bijective T-function 
w in some 'short' form, there are a number of algorithms to find the inverse T-function w~^; however, the 
representation of may be too long and thus the problem of finding will also be infeasible. 

On the other side, in many practical cases main ideas of the approach work either directly or after certain 
adjustment: to illustrate, we apply these to a multivariate T-function from fl4' which is used in TSC family 
of stream ciphers. 

4.2.2. Linear relation in multivariate function of TSC family of ciphers. We start with a description of a gen- 
eral T-function T used in these ciphers. Given x= (a;*^°\ . . . , a;*^™"^^) € Z™, denote (5j (x) = ((5^ (x'-^-' ),..., (5j (a;'-' 
(the j-th columnar binary vector {xjm, ■ ■ ■ , X(j+i)m-i) ii^ the notation of (j4.ip ) 

A special m-variate T-function a(x) on fc-bit words (the odd parameter) is fixed. For our purposes, we do 
not need detailed description of a(x), we only note that in our terms a : Z™ — >■ Z2 is a T-function such that 
5j{a{x)) does not depend on Sj{x) and the Boolean function Sj(a{x)) of Boolean variables xoj • • • iXim-i is 
of odd weight; that is So{a(x)) — 1 and algebraic normal form of the Boolean function (5_,(a(x)) contains a 
monomial Xo ' ' ' Xjm-i (this is equivalent to the definition of odd parameter in |14[ I16[ 118) ) 

Further, an S-box is fixed. That is, the sequence of permutations Sq, Si, 82, ■ ■ ■ on m-bit words is given. 
Each permutation Sj acts on the j-th column Dj{x.) = Sj{x) = (xjm, • ■ • 7X(j+i)m-i) by substituting it for 
Sj{Dj('x)) . Also, a sequence of odd numbers ao, cri, a2, ■ ■ ■ and a sequence of even numbers Sq, ei, £2, . . . are 
given. Now the T-function T of TSC family of stream ciphers is defined as follows: 

5 (TU))^!^^'^^'^''^^' if5,(a(x)) = l; 
^ ^^^^(^^(x)), if otherwise. 

The key point is that if m is small, then, given Sj and a permutation Lj that has the same cycle structure as 
Sj, one easily finds conjugating permutation Rj by solving the equation 5^ = RJ^LjRj by Cauchy method. 

In TSC family m is small: For every TSC— i (i = 1, 2, 3, 4), the input is arranged into m — 4, input words 
of fc = 32 (TSC-1, -2, -4) or fc = 40 (TSC-3) bits. That is, to find conjugating permutations one will solve 
32 or 40 equations Sj — RJ^LjRj in the symmetric group on 16 elements. Moreover, in TSC family all 
permutations Sj are single cycles. 

Now put Lj{z) ~ {z + 1) mod 2™, a single cycle permutation that acts on m-bit words by adding 1 
modulo 2™; that is, Lj reads the j-column (xim! Xim-i-i; ■ • ■ ; X(i-i-i)m-i) as a base-2 expansion of a non- 
negative integer z = XjW + Xim+i • 2 H h X(j+i)m-i2™~^, sends z to the least non-negative residue z + 1 

of z + 1 modulo 2™ and returns the column {Sq{z + 1); Si{z + 1); . . . ; (5m_i(z -|- 1)) consider a T-function 
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L: Z™ ^ Z^' defined as follows: 

\L^'{5j{-s.)), if otherwise. 

This implies that the T-function T is conjugate to the univariate T-function i : Z2 — )• Z2 that acts as 
follows: given the input string x — (xo] Xi! ■ • Oi it is considered as concatenation of m-bit words qo^qi, . . . 
1j — XjmXim+i ■ ■ ■ X(j+i)m-ii the T-functiou t reads each word qj as a base-2 expansion of the non-negative 
number Qj = Xjm + Xjm+i2 + ■ ■ ■ + X(i+i)in-i2™~^, returns the m-bit word tj{qj) that is a base-2 expansion 
of the number 

Dj{t{x)) = tj{Qj) = (Qj + a J ■ ajiQo, . . . , Qj-i) + e, ■ (1 - aj(Qo, • • • , Qj-i))) mod 2"^, 
where aj(Qo- • • • i Qi-i) = Sj{a{B^^{x))), B is the one-to-one correspondence between Z™ and Z2 from 

It turns out that coordinate sequences of each sequence {Dj{t'^{x)))^Q of m-bit words satisfy relation 
p.ip . Note that our claim is that the relation holds only within every sequence {Dj{V'{x)))^Q, and not 
necessarily between the coordinate sequences {5 jm-i{t^ {x)))°°^q and {5jm{t'^{x)))°°^Q since they belong to 
coordinate sequences of different sequences, of (Dj_i(t*(a;)))^g and {Dj{t'^{x)))'^Q, respectively. 

To prove the claim it suffices to prove it for coordinate sequences (of sufficiently large order) of a univariate 
T-function / that is defined as follows. Let u: T./i^'L Z/2'^Z is a transitive T-function on k-h\t words, 
let the map v : Z/2'=Z ^ {0, 1} takes value 1 on the odd number of fc-bit words: #{z e Z/2'=Z: v{z) = 1} 
is odd; let a be odd, and let e be even. Given a; G Z2, a: admits a unique representation x = x + l^x for a 
suitable i: G Z2. Now put 

/(x) = u{x) + 2^(x + (cr - e)v{x) + e). 

Firstly, we note that / is uniformly differentiable and that N2{f ) < k. Indeed, given h — 2^r for i > k, 
one has f{x + h) = u{x) + 2^{i + 2^-'=r -t- (cr - e)v{x) + e) = J{x) + 2'r = f{x) + h. 
Secondly, / is transitive. Indeed, 

(2'=-l 

however, s = X]j=o^ v{u^ {x)) is odd by the definition of v since u^{x) runs through all A:-bit words as j = 
0,1,2, ...,2*^ — 1, due to transitivity of u. Thus, / is transitive modulo 2*^+^ as the map x 1— >■ x+{a — e)s + 2'^e 
is obviously transitive modulo 4 as (cr — e)s + 2^e is odd. Finally, / is transitive by Theorem [2] and thus 
satisfy conditions of Theorem [5l This proves our claim (of course, the transitivity of / might be proved 
directly rather than by applying Theorem [J). 

We stress that we only state that there are linear relations of form (|3.ip in the output sequences of 
generators based on T-functions of the sort of ones used in TSC stream ciphers, and we do not claim that 
these relations affect (or do not affect) the security of the ciphers. The latter is out of scope of the paper; it 
worth noting here only that the ciphers were successfully attacked, however, using vulnerabilities other than 
the ones we indicate, see e.g. [551^0] . 

It also worth noticing here that the method can not be immediately applied to stream ciphers Mir-1, TF-i 
and ASC although all of these are based on a multivariate version of Klimov-Shamir T-function x -t- (x? V C) 
for which the relations hold due to the result of Molland and Helleseth mentioned at the beginning of the 
paper. 

4.3. The case of counter-dependent generators. A counter-dependent generator is a pseudorandom 
generator with the recursion law x^+i = fi{xi), that is, the state transition (and/or the output) function 
changes dynamically during processing. Counter-dependent generators were introduced in |37| ; in [3l Section 
10.3] it is shown that counter-dependent generators can be considered as wreath products of dynamical 
systems which are ordinary generators, and the corresponding theory is developed. The theory enables one 
to construct counter-dependent generators of the longest possible period. Generators of this kind were used 
in ABC stream ciphers, see [TUl [i [H El IH] . 

Loosely speaking, wreath product of generators is a cascaded composition of generators, see Figure [2l If 
all fy- are T-functions on /c-bit words, the maximum length of the shortest period of the counter-dependent 
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Vi+i = givi) 
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Figure 2. Counter-dependent generator, the wreath product of generators 



generator from Figure [2] is p • 2''' , where p is the length of the shortest period of the generator with the 
recursion law yi+i = gijji)- For conditions when the counter-dependent generator achieves the longest 
possible period see [31 Theorem 10.9; Lemma 10.12]; structure of the corresponding output sequence is 
presented at Figure [H the shortest period of this sequence achieves the maximum length, p-2\ i.e., the 
period is a finite sequence {xi)^'^Q~^ of length p ■ 2^ of /c-bit words which is a union of p subsequences 
[Xr+pj) , r = 0, 1, 2, . . . ,p — 1, and each subsequence {xr^jjj^Q is generated by a transitive T-function 
Wr'- Wr — fy^^p^-i o • • • o fy^, Wr{xr+{i-i)p) — Xr+ip, i = 1,2,.... We couclude uow that z/ all T-functions 
fy. are uniformly differentiable modulo 4 then all T-functions Wr are uniformly differentiable modulo 4 and 
transitive; thus, all T-functions Wr satisfy conditions of Theorem[S] Therefore coordinate sequences of every 
subsequence {xr+ip)^"^^ of output sequence {xi)"^^ satisfy linear relation (|3.ip . 




Figure 3. Structure of the sequence generated by wreath product. 



It is worth noting here that the above result on linear relations in coordinate sequences produced by 
wreath products of generators can not be applied immediately to ABC stream ciphers since the latter use 
wreath products of linear feedback shift register with an 'add-xor' generator. However, the latter is based on 
a transitive T-function of the form (. . . {{x (B ai) + 02) © as) + 04) © ■ • ■ which is not uniformly differentiable 
modulo 4. Of course, this does not serve a proof (or a disproof) that there are no linear relations between 
coordinate sequences produced by the ABC wreath product. 

5. Conclusion 

In the paper, we prove that a vast body of transitive T-functions exhibit linear and quadratic weaknesses: 
we found a linear (Theorem [5|) and a quadratic (Theorem |6]) relation that are satisfied by output sequences 
generated by univariate transitive T-functions that constitute a very vast class 1)2 (see Subsection 12.31 about 
the latter class). Earlier relations of this sort were known only for T-functions of two special types: for 
the Klimov-Shamir T-function x + (x"^ V C) and for polynomials with integer coefRcients. The class D2 
is much wider: it contains rational functions, exponential functions as well as their various compositions 
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with bitwise logical operations. Moreover, we proved that relations of this kind hold in output sequences of 
corresponding classes of multivariate T-functions as well as in output sequences of T-function-based counter- 
dependent generators; the latter are generators with a recursion law of the form x^+i = fi{xi). Primitives of 
both types, the multivariate T-function-based ordinary generators and T-function-based counter-dependent 
generators, are used in stream ciphers, e.g., in ASC, TF-i, TSC, and in ABC. We illustrated our method by 
finding linear relations for T-function of the sort used in TSC stream ciphers. 
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Appendix A. Proofs of Theorems [5] and [6] 
During the proofs, we will need the following 
Lemma 1. Let f be a transitive T-function, and let f be uniformly differentiable modulo 4, then 

2«2(/)_i 

(f^^-'^iz))'^^ n (-0d4), 

for every z € Z2. 

Proof of Lemma [7J The left-side congruence immediately follows from the chain rule; the right-side congru- 
ence is proved in [3], see the end of the proof of Theorem 4.55 there. It is worth noticing that we actually 
prove both congruences while proving Theorem [6l see Step 5 in the proof of the latter. □ 

A.l. Proof of Theorem[5j From the transitivity of the T-function / (see DefinitionlHl) it follows that/^" ^ (x) = 
X (mod 2"-i); that is 

(A.l) /2""'(a;) =x + 2"-V(a;) 

for a suitable map (ys: Z2 — > Z2. As / is uniformly differentiable modulo 4, from (jA.l[) we deduce that 

(A.2) r+'""(a;) - /Xf ""(^)) = f (x -f 2"- V(a;)) ^ fix) + 2--'^{x){f\x))', (mod 2"+^) 

once n>N2{f) + l. 

Further, (p{x) = a{x) + 2f3{x) (mod 4) where a : Z2 F2 = {0, 1}. We claim that a{x) = 1 for all a; G Z2. 
Indeed, if otherwise, then (jA.ip implies that 

/2""'(x) = a; + 2"/?(x) = a; (mod 2"), 

in a contradiction to the transitivity of / as necessarily (x) ^ x (mod 2") whenever / is transitive, see 
Definition [51 Thus, given x G Z2, 

(A.3) ip{x) = 1 + 213 (mod 4), 

for a suitable /3 = I3{x) G Z2. 

As / is bijective, f2{x) = 1 (mod 2) for all a; G Z2, see Proposition [2l This in view of (jA.2p and (jA.3P 
implies that if we denote {f^{x))2 = 1 + 27 (mod 4) for a suitable 7 — 7(1; x) G {0, 1}, then 

(A.4) r+2""'(a;) = f (.t) +2"-i(l + 2/3)(l + 27) (mod 2"+i) = f (x) + 2"-^ + 2"(/3 + 7) (mod 2"+i). 



[29] 

[30] 

[31] 
[32] 

[33] 

[34] 

[35] 
[36] 
[37] 

[38] 

[39] 

[40] 
[41] 
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Remind that ~ ^jW^i^)) £ {Oi 1} (ji ^ = 0, 1, 2, . . .) according to our notation. With the notation, given 
X = xq G ^2 , the transitivity of / impUes that 

(A.5) r'\xi + X? • 2 + • • • ) ^ xf" + xr' ■ 2 + . . . + ■ 2"-^ + xr' ■ 2- ^ 

Xf" + xf" • 2 + . . . + xf-a' ■ 2"-^ + (x°-i ® 1) • 2-1 + xf" ' 2" (mod 2"+i), 
where ® stands for addition modulo 2. On the other hand, 

(Xo + X? • 2 + ■ • • ) = Xo + X? ■ 2 + ■ • • + x" • 2" + 2"-i + 2«/3 (mod 2"+i) 

in view of (jA.ip and (|A.3p . Comparing both congruences, we conclude that Xn" ^ = Xn-i +Xn + P (mod 2); 
finally, 

(A.6) + (mod 2). 

Now from (|A.4|) . (|A.5|) . ()A.6P wc obtain: 

^^2"- + X^'"" • 2 + • • • + x:^r " • 2-1 + x:;^^"" • 2" ^ 

X?, + xl • 2 + ■ • ■ + x:n • 2" + 2-1 + (x^l + X?. + Xf" + 7)2" (mod 2"+i); 

henceforth, 

(A.7) x;+'""' =x;-i+x; + X°-i+X°+xr"'+7 (mod 2). 

Note that the term Xn-i occurs in the right side due to the carry. 

Now take (and fix) arbitrary a; = xq G Z2. We claim that the function y{i) — 7(1; a;) is periodic with 
respect to the variable i = 0, 1, 2, . . ., and that the length of the shortest period of y(i) is a factor of 2'^^^^\ 

Denote N = N2{f). As y{£) = Si{{f^{x))2) by the definition, y{£) can not depend on n once n > N + 1; 
furthermost, we have that y{i + 2^) = ^i((/*^^ {^))'2)- Using sequentially chain rule and Lemma [T] for 
z — /*(x) we get: 

i+2"-l i-l 2"-l i-1 

(r+2"(x));^ n f2{P{^))^X{f2{P{^))X{ f2{p^\x))^xif'2{p{x))^{r{x))'2 (mod4). 

Therefore, y{i + 2^) = 5i((/'+2" (x))^ = ^{{fix))'^) = y(0- This proves our claim and TheoremE] □ 

A. 2. Proof of Theorem [6j The proof mimics respective steps of the proof of Theorem [5l 

Step 1: As {x) = x + 2"~^(p{x) for a suitable map (/?: Z2 — >■ Z2, given n > N^^f) + 2 we have that 

(A.8) r+'""(x) ^ fix) + 2-V(a;)(r(x)); (mod 2"+i), 

cf. (IXTI) and ((X2|) . 

Step 2: Denote (^(x) = a + 2/3 + 47(mod8), for suitable a, /3, 7 G {0, 1}. We prove that a = 1 exactly in 
the same way as in the proof of Theorem [5] 

Step 3: We have then that (/^(x))!, = 1 + 2A + 4r; (mod 8), for suitable A,7; G {0, 1}. Therefore, 

(A.9) r+2""'(x) - r(/2""'(x)) - fix + T-\{x)) ^ 

fix) + 2—2 + 2"-i(/3 + A) + 2"(/3A + 7 + ??) (mod 2"+i), 

cf. dsn. 

Step 4: Now we act as in the proof of (|A.7p . On the one hand, 

(A.IO) .f-\x'o + X? • 2 + • • • ) ^ xr^ + xr' • 2 + . . . + xf-T • 2-1 + xf"^ • 2" 

^ xf" + xf" • 2 + ■ • ■ + (xL2 ® 1) • 2-2 + xtT • 2-1 + xf" • 2" (mod 2"+i), 
while on the other hand, 

(xS? + X? • 2 + ■ • ■ ) ^ XS? + X? ■ 2 + ■ • ■ + x° ■ 2" + 2-2 + 2-1/3 + 2"7 (mod 2"+i). 
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From here we deduce that Xn-i = Xn-i ® Xn~2 ® /^J henceforth 

(A.ll) /3 = X°-i+X°-2+xrT (mod 2), 

cf. (IA.6I) . Now, combining together (|A.9|) . (|A.10|) . (jA.lip . we get 

X?, + xl • 2 + • ■ ■ + xj. • 2" + 2"-2 + 2"-i(xL2 + X^-i + Xf-T + A) + 2"(/?A + 7 + (mod 
so we conclude that 

Xj^-T' = X^-2 + Xn-l + X°n-2 + x"_l + Xn-^1 + A (mod 2) 

and that 

x;+'""' = x;-2X;_i+x:^-2(x°-2+X°-i+xfJi'+A)+x;-i(x°-2+X°-i+xr-t+A)+x;+/3A+7+?; (mod 2). 
From here we finaUy obtain that 

X'„+'""' = xjj-2X'.-i + ^(f^)(x'^-2 + X'l-i) + Xn + y^ (mod 2), 

where 9{n) = x°-2 + X°-i + X^i-i"" + A (mod 2) and yi = pX + ^f + rj (mod 2). 

Step 5: Take and fix arbitrary x G Z2 and n > N3{f) + 2; therefore we fix /3,7 G {0, 1}, however, both f3 
and 7 depend on n. We claim that the binary sequence (?/i)i^o periodic, and that the length of its shortest 
period is a factor of 2^^^-^^ 

Indeed, by the chain rule 

(A.12) (/(z))3^n/;(f (x)) (mods), 

for arbitrary e Z2 and £ = 1, 2, . . .. As / is a transitive T-function, /»+2"^<" (3;) ^ fi(^x + 2^^'^f^<^>{x)) for 
a suitable $: Z2 — s- Z2 (cf. (jA.l[) and (jA.2p ): and moreover, 

Pix + 2^^(^)$(a;)) = P{x) mod 2^^^^^ + 2^^(-^')$j(a;), 

where /-'(a;) mod 2^^'^^^ stands for the least non-negative residue of f^{x) modulo 2^^^^'> and <&j(a;) £ Z2. 
Now combining the latter equality with (|A.12I) we see that 

(A.13) (r+2"-''''(x))' = (r(x + 2^3(/)$(^))y ^ (/^■(x + 2^3(/)<i,(^))) ^ 

i-l i-1 

n f'2 mod 2^^(^) + 2^-^m,{x)) (/^(x) mod 2^^")) ee (fix))'^ (mod 8), 

as 72(3;) is a periodic function with a period of length 2^-'''^\ cf. Proposition [TJ 

Now, as A = ^i{{f^{x))3) and ry — 62{{P{x))^) the functions A = A(i) and 77 = 77(1) are periodic with 
respect to the variable i = 0, 1, 2 . . ., and lengths of their shortest periods are factors of 2'^'^^^\ Consequently, 
the sequence {yi)^o is periodic, and the length of its shortest period is 2^ for some < K < A3(/). □ 
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